Skip to content
Roles & processors

Controller or processor?

You run the platform and determine purpose and legal basis as the controller. OXIAE is the software vendor that acts as the processor: processing strictly according to your instructions, set out in a watertight data processing agreement.

GDPR-compliant EU data residency Full audit trail

Last updated: 1 June 2026

Terms: who is who

The GDPR works with a handful of core roles. Mixing them up places responsibility in the wrong place. Below we explain each term in plain language, each with a concrete example for your platform.

Controller

The party that determines the purpose and means of the processing. In other words: whoever decides why and how personal data is processed is the controller. This party bears ultimate GDPR responsibility towards data subjects and the supervisory authority.

Example at OXIAE: You are the controller for your platform: you decide how requests come in, how they are matched and to whom they are delivered.

Processor

The party that processes personal data on behalf of and on the instructions of the controller, without determining the purpose itself. A processor acts strictly within the instructions and may not use the data for its own purposes.

Example at OXIAE: OXIAE is the software vendor that carries out intake, verification, matching and routing for your platform, acting as a processor, on your instructions and not as the owner of the purpose.

Sub-processor

A party that a processor engages to carry out part of the processing. The sub-processor works under the same arrangements that apply to the processor; the processor remains accountable for what the sub-processor does.

Example at OXIAE: The cloud-hosting provider OXIAE runs on is a sub-processor of OXIAE: bound by the same security and retention arrangements.

Joint controllership

Two or more parties jointly determine the purpose and means of a processing operation. They are then jointly responsible and must set out among themselves who fulfils which GDPR obligation, such as informing data subjects.

Example at OXIAE: This does not normally arise between you and OXIAE, since there the role allocation is clear. It can arise between you and a publisher or buyer who, together with you, determines the audience and use of a lead.

The hardest question

Your platform: who is who

On your platform, several roles are active at once: you as the operator, OXIAE as the software vendor, and the publishers and buyers you manage as users. It always comes down to one question: who determines the purpose?

Link 01

You (the operator)

Controller

You run the platform under your own brand. You set the rules for intake, matching, routing and delivery, and with that, the purpose and means of the processing. That ultimate responsibility sits with you, not with OXIAE.

Link 02

OXIAE (software vendor)

Processor

OXIAE supplies and maintains the white-label software that runs your platform, and in doing so processes personal data strictly according to your instructions and the data processing agreement, without determining the purpose itself.

Link 03

Publishers & buyers (your users)

Roles within your platform

Publishers supply requests, buyers receive them: both are roles that you configure and manage in your platform, not separate customers of OXIAE. Where publishers or buyers independently determine the purpose for their own use, they can have their own controller responsibility for that part.

Between you and OXIAE, the role allocation is set out in the data processing agreement. For publishers and buyers: they are roles within your platform, not separate contracting parties of OXIAE.

Who does what

A clear division of responsibilities between you as the controller and OXIAE as the processor.

Aspect You (controller) OXIAE (processor)
Define purpose & legal basis Decide what data in your platform is used for and on which legal basis. Processes solely for the purpose you define, never beyond it.
Process personal data Provide written instructions and boundaries for the processing through the data processing agreement. Processes only according to your instructions, carried out by the software you license.
Security Assess whether the measures fit your data, publishers, buyers and risk. Implements appropriate technical and organisational measures: encryption, access control and logging.
Set retention periods Determine in the platform how long data may be retained. Applies the configured periods and deletes or anonymises data afterwards.
Sub-processors Review and authorise the engagement of OXIAE sub-processors. Engages only pre-notified sub-processors, under the same arrangements.
Report data breaches Notify the supervisory authority and your publishers or buyers where required. Informs you without undue delay and supports the response.

The exact arrangements are set out in the data processing agreement.

What goes into the data processing agreement

The data processing agreement (often abbreviated to DPA) is the document that makes the collaboration between you and OXIAE legally watertight. The GDPR prescribes a number of core clauses; OXIAE includes these as standard, so you do not have to negotiate everything yourself.

Purpose & scope

Which data, for which purpose and within which boundaries OXIAE may process as a processor for your platform, nothing beyond that.

Instructions

OXIAE processes solely on your documented instructions as the controller, including for any onward transfer.

Security

Appropriate technical and organisational measures: encryption, access control, logging and monitoring.

Retention period

How long data is retained and when it is automatically deleted or anonymised.

Sub-processors

The conditions under which OXIAE engages sub-processors, with a notification duty and the right to object.

Right to audit

Your right to verify (or have verified) compliance, with access to reports and the audit trail.

Return & deletion

What happens on termination: return or demonstrable deletion of all personal data.

Want to request or review a data processing agreement? You will find the standard template and the request process on the dedicated page.

Go to the data processing agreement
Transparent about the chain

Sub-processors

For components such as hosting and email, OXIAE engages carefully selected sub-processors. All bound by the same security and retention arrangements set out in your data processing agreement.

We notify changes to the list in advance, so you have time to assess them. You then have an objection period of 30 days to raise a reasoned objection to a new sub-processor. The current list is always available on request.

Sub-processor Purpose Location
Cloud hosting (EU region) Storage and hosting of the application and database EU
Email service Transactional messages and notifications EU
Error monitoring & logging Security and stability monitoring EU

Last reviewed on 12 March 2026. The full, current list forms part of the data processing agreement.

Data breach: who does what, and when

Should an incident ever occur, it is set out in advance who takes which step. Speed and clarity determine whether a breach stays manageable.

01

Detection & logging

OXIAE detects the incident through monitoring and logging, records it immediately and starts the internal assessment.

02

Notification to you

As the processor, OXIAE informs you without undue delay, with the facts you need to assess your own obligation.

03

Supervisory authority assessment

As the controller, you assess whether notification to the supervisory authority is required, in principle within 72 hours of becoming aware.

04

Publishers, buyers & remediation

In case of high risk, you inform the affected publishers or buyers in your platform. OXIAE supports investigation, remediation and preventing recurrence.

On record, not verbal

Arrangements on record

Responsibilities are only reliable when they are in writing and verifiable. That is why OXIAE records the collaboration with you in a data processing agreement and enforces strict platform access based on role and permission.

  • Data processing agreement

    A data processing agreement sets out, in writing, the arrangements on purpose, instructions, security and retention periods, in line with the requirements the GDPR places on processors.

  • Least-privilege access

    No one has more access than is strictly necessary for their task. Access is tied to role and context and is reviewed periodically.

  • Roles & permissions

    Clear roles determine who in your platform may view, process or export data. Every action is traceable in the audit trail.

Frequently asked questions about roles and processors

The most common questions about responsibility, processing arrangements and sub-processors within OXIAE.

Is OXIAE a processor or a controller?

As the software vendor, OXIAE is the processor for the data the platform processes on your behalf: intake, verification, matching, routing and delivery. You remain the controller because you determine the purpose and legal basis. The role allocation is set out in the data processing agreement.

Are publishers and buyers customers of OXIAE?

No. Publishers and buyers are roles that you configure and manage in your platform. They have no direct contractual relationship with OXIAE; you are and remain responsible for how you treat them in your platform.

Who is responsible when a publisher supplies a lead through my platform?

For the platform as a whole (intake, matching, routing), you are the controller and OXIAE acts as the processor. Where a publisher independently determines its own audience and consent text for its own acquisition, that publisher can have its own controller responsibility for that part, separate from your platform.

How do I request a data processing agreement?

You will find the standard template and the request process on the /verwerkersovereenkomst page. It also sets out which core clauses are included as standard, so you do not have to negotiate from scratch.

Are sub-processors notified in advance?

Yes. New or changed sub-processors of OXIAE are notified in advance. You then have an objection period of 30 days to raise a reasoned objection. The current list is always available on request.

What happens in the event of a data breach?

OXIAE detects and records the incident and informs you without undue delay. As the controller, you assess whether notification to the supervisory authority is required, in principle within 72 hours, and inform your publishers or buyers where necessary. OXIAE supports investigation and remediation.

What happens to the data when the collaboration ends?

On termination, all personal data is returned or demonstrably deleted, in line with the arrangements in the data processing agreement. The deletion is traceable in the audit trail.

Clear on roles, watertight on paper

Book a demo and see how OXIAE demonstrably records roles, permissions and processing arrangements for your platform.